Fixing CSRF issues (apache#2569)

* 0.17.4 * Fixing CSRF issues Since turning CSRF across the site with Flask-WTF, a few POST request have been failing. This PR addresses these issues.
will7200 · Apr 14, 2017 · a8e89d8 · a8e89d8
1 parent 0e5d708
commit a8e89d8
Show file tree

Hide file tree

Showing 8 changed files with 28 additions and 22 deletions.
diff --git a/superset/assets/javascripts/SqlLab/components/App.jsx b/superset/assets/javascripts/SqlLab/components/App.jsx
@@ -5,7 +5,7 @@ import React from 'react';
 import TabbedSqlEditors from './TabbedSqlEditors';
 import QueryAutoRefresh from './QueryAutoRefresh';
 import QuerySearch from './QuerySearch';
-import AlertsWrapper from './AlertsWrapper';
+import AlertsWrapper from '../../components/AlertsWrapper';
 
 import { bindActionCreators } from 'redux';
 import { connect } from 'react-redux';

diff --git a/...ripts/SqlLab/components/AlertsWrapper.jsx → .../javascripts/components/AlertsWrapper.jsx b/...ripts/SqlLab/components/AlertsWrapper.jsx → .../javascripts/components/AlertsWrapper.jsx
diff --git a/superset/assets/javascripts/explorev2/index.jsx b/superset/assets/javascripts/explorev2/index.jsx
@@ -7,14 +7,17 @@ import { Provider } from 'react-redux';
 import thunk from 'redux-thunk';
 import { now } from '../modules/dates';
 import { initEnhancer } from '../reduxUtils';
+import AlertsWrapper from '../components/AlertsWrapper';
 import { getControlsState, getFormDataFromControls } from './stores/store';
+import { initJQueryAjaxCSRF } from '../modules/utils';
 
 
 // jquery and bootstrap required to make bootstrap dropdown menu's work
 const $ = window.$ = require('jquery'); // eslint-disable-line
 const jQuery = window.jQuery = require('jquery'); // eslint-disable-line
 require('bootstrap');
 require('./main.css');
+initJQueryAjaxCSRF();
 
 const exploreViewContainer = document.getElementById('js-explore-view-container');
 const bootstrapData = JSON.parse(exploreViewContainer.getAttribute('data-bootstrap'));
@@ -47,7 +50,10 @@ const store = createStore(exploreReducer, bootstrappedState,
 
 ReactDOM.render(
   <Provider store={store}>
-    <ExploreViewContainer />
+    <div>
+      <ExploreViewContainer />
+      <AlertsWrapper />
+    </div>
   </Provider>,
   exploreViewContainer
 );
diff --git a/superset/assets/spec/javascripts/sqllab/AlertsWrapper_spec.jsx b/superset/assets/spec/javascripts/sqllab/AlertsWrapper_spec.jsx
@@ -1,5 +1,5 @@
 import React from 'react';
-import AlertsWrapper from '../../../javascripts/SqlLab/components/AlertsWrapper';
+import AlertsWrapper from '../../../javascripts/components/AlertsWrapper';
 import { describe, it } from 'mocha';
 import { expect } from 'chai';
 

diff --git a/superset/assets/utils/common.js b/superset/assets/utils/common.js
@@ -1,3 +1,4 @@
+/* global notify */
 /* eslint global-require: 0 */
 import $ from 'jquery';
 const d3 = window.d3 || require('d3');
@@ -78,12 +79,8 @@ export function getShortUrl(longUrl, callback) {
     success: (data) => {
       callback(data);
     },
-    error: (error) => {
-      /* eslint no-console: 0 */
-      if (console && console.warn) {
-        console.warn('Something went wrong...');
-        console.warn(error);
-      }
+    error: () => {
+      notify.error('Error getting the short URL');
       callback(longUrl);
     },
   });

diff --git a/superset/templates/superset/basic.html b/superset/templates/superset/basic.html
@@ -23,6 +23,12 @@
         {% include "superset/partials/_script_tag.html" %}
       {% endwith %}
     {% endblock %}
+    <input
+      type="hidden"
+      name="csrf_token"
+      id="csrf_token"
+      value="{{ csrf_token() if csrf_token else '' }}"
+    >
   </head>
 
   <body>
@@ -39,12 +45,6 @@
       <div id="app" data-bootstrap="{{ bootstrap_data }}" >
         <img src="/static/assets/images/loading.gif" style="width: 50px; margin: 10px;">
       </div>
-      <input
-        type="hidden"
-        name="csrf_token"
-        id="csrf_token"
-        value="{{ csrf_token() if csrf_token else '' }}"
-      >
     {% endblock %}
 
     <!-- Modal for misc messages / alerts  -->

diff --git a/superset/templates/superset/dashboard.html b/superset/templates/superset/dashboard.html
@@ -5,10 +5,4 @@
     {% include 'superset/flash_wrapper.html' %}
     <div id="root"></div>
 </div>
-<input
-  type="hidden"
-  name="csrf_token"
-  id="csrf_token"
-  value="{{ csrf_token() if csrf_token else '' }}"
->
 {% endblock %}
diff --git a/superset/templates/superset/models/database/macros.html b/superset/templates/superset/models/database/macros.html
@@ -5,13 +5,22 @@
     $("#testconn").click(function(e) {
       e.preventDefault();
       var url = "/superset/testconn";
+      var csrf_token = "{{ csrf_token() }}";
+
+      $.ajaxSetup({
+        beforeSend: function(xhr, settings) {
+          if (!/^(GET|HEAD|OPTIONS|TRACE)$/i.test(settings.type) && !this.crossDomain) {
+            xhr.setRequestHeader("X-CSRFToken", csrf_token);
+          }
+        }
+      });
 
       var data = {};
       try{
         data = JSON.stringify({
           uri: $("#sqlalchemy_uri").val(),
           name: $('#database_name').val(),
-          extras: JSON.parse($("#extra").val())
+          extras: JSON.parse($("#extra").val()),
         })
       } catch(parse_error){
         alert("Malformed JSON in the extras field: " + parse_error);